The approaches described in this section could be pursued, but are not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
Computer networks typically comprise interconnected routers, switches, and other network infrastructure elements, which are collectively termed “network devices.” The management of computer networks often involves changing the configuration of one or more network devices by issuing one or more directives to the devices through an interface that is provided by the devices. An improper or unauthorized configuration change can disable the devices or cause harm to the network. Therefore, network administrators wish to have a way to require a network device to authenticate the source of a configuration change before accepting the configuration change.
Further, there is a need for multiple verifiable levels of authorization for a configuration change on a device, as a result of two recognized threats to networks in the foregoing context. The first threat is that a malicious or unauthorized party (“attacker”) may gain access to authentication information for a single authorized user. The second threat is that an authorized user may abuse his or her authority.
The first threat, in which an attacker gains access to authentication information of a single user, can occur in numerous ways. For example, the attacker might obtain the password of an authorized individual simply by visual observation as the authorized individual enters the password. Other cases include dictionary attacks on the protected network element, as well as eavesdropping on an unprotected connection. The use of smart “one-time password” tokens and encryption has mitigated some of these attacks; however, if the attacker has the token and the password, he or she can access the protected network element.
The second threat involves a user who has the correct authorization to access a function of a network element, but misuses that authorization. Presently there is no known mechanism to allow review of changes on the device. Simple password mechanisms to provide such review are insufficient, because there is no present mechanism for associating a password with a particular block or portion of configuration requiring review.
Other past approaches have other drawbacks or shortcomings. For example, the network management system known as CiscoWorks 2000/Resource Management Essentials (RME), from Cisco Systems, Inc., San Jose, Calif., has a form of chain-of-approval checking. However, all such changes must be made through RME, and cannot be made on the device itself.
Passwords generally do not provide any indication of what was approved, but just that something was approved. For instance, a person can call and request a password for an approval for a trivial change, when in fact the person is about to make a catastrophic change.
The TACACS, TACACS+, Radius, and Diameter protocols provide a means for centralized password management. TACACS+ allows for authorization of specific commands, but does not provide for assurance of what is being changed.
One-time passwords (OTPs) allow for a password to only be used once. For example, the SafeWord password generator from Secure Computing Corporation, Roseville, Minn., can generate one-time passwords that may be authenticated by a server-side element. However, conventional use of one-time passwords does not associate the password with a particular network element configuration operation or set of operations.
Pretty Good Privacy (PGP), commercially implemented by Network Associates, Santa Clara, Calif., and implemented in an open-source project known as GPG, provides a set of message formats that allow for communication of public/private key pairs and messages that use them. SHA-1 is a secure hash algorithm, but it has not been used to address the needs identified above.
Digital signatures provide for a verifiable means to determine that one or more individuals authenticate some data. The Diffie-Hellman approach and the RSA algorithm provide two means of implementing digital signatures for a variety of purposes. Use of digitally signed operating system images for network devices, but not configuration commands, configuration files, or subsets of configuration files, has been used in prior approaches. The TRIPWIRE program only verifies the integrity of a system, and can identify changes that were made to a system, but it does not authorize changes to a system. In addition, TRIPWIRE cannot provide authentication of users with multiple levels of authority.
Digitally signed and verified updates of DNS (TSIG) have been used in one approach, but these do not use a multi-level authorization mechanism. This approach was used to provide signed PGP messages to the InterNIC as an authorization mechanism for DNS updates. However, this approach used a single signature and a single level of authorization.